Received: from mail4.protonmail.ch (mail4.protonmail.ch [185.70.40.27])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id EC322781F33
	for <~alpine/devel@lists.alpinelinux.org>; Mon, 28 Oct 2019 15:55:41 +0000 (UTC)
Date: Mon, 28 Oct 2019 15:55:37 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cogitri.dev;
	s=protonmail; t=1572278141;
	bh=PQ7q9Q77dSvSxbFwToBs2NgECoCANM5e/Y6XUKtaqAw=;
	h=Date:To:From:Reply-To:Subject:In-Reply-To:References:Feedback-ID:
	 From;
	b=aVxVvjeWNIc6ivVUOFG4Lgf+TsAOmlCE2ShRE+im7FIWRqMpB/MfraTYYBgv8B2V4
	 aoSfVVA6/cxxcSRbCdQ6J0nk6JyUjqxtH7ESeCAN7yXRD/+peEfhBqcYwE8Y7VI5/+
	 GwRPNwEziRXOolnSoZe0YlvcW4UYaBp61L8O608k=
To: =?UTF-8?Q?S=C3=B6ren_Tempel?= <soeren@soeren-tempel.net>, ~alpine/devel@lists.alpinelinux.org
From: Rasmus Thomsen <oss@cogitri.dev>
Reply-To: Rasmus Thomsen <oss@cogitri.dev>
Subject: Re: Alpine community governance
Message-ID: <0600fd79fdc1131df18906aaac67d095d74199bf.camel@cogitri.dev>
In-Reply-To: <2HW3TY8QZIYUE.3N08DKW6AEFNN@8pit.net>
References: <BXZLAL5IFNQW.15ACK4H0U6JGN@homura>
 <5152c7bd5e788aadfb987281a47107a4f3959860.camel@cogitri.dev>
 <2HW3TY8QZIYUE.3N08DKW6AEFNN@8pit.net>
Feedback-ID: LZW2MXNaH7NSG88i8lGpebeqB0wmcl0-3TbzkSuzsmAwEQspn4GI-WRe8j3PhRL4SBmua4rQWq6fadPcLS5uxQ==:Ext:ProtonMail
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="b1_3612bd888e5d6fc5c6308b4a2e47c7e5"
X-Spam-Status: No, score=-1.2 required=7.0 tests=ALL_TRUSTED,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF autolearn=ham
	autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.protonmail.ch

This is a multi-part message in MIME format.

--b1_3612bd888e5d6fc5c6308b4a2e47c7e5
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Sun, 2019-10-27 at 17:15 +0100, S=C3=B6ren Tempel wrote:
> Rasmus Thomsen <oss@cogitri.dev> wrote:
> > Hm, although that does sound like it'd significantly lessen the
> > workload on core member I dislike this approach, at least with how
> > we
> > currently handle maintainership of packages.
>=20
> To move my discussion contribution from the IRC to the ML: IMHO we
> should rethink the aport maintainer role in general. Many package
> maintainer comments are horribly outdated and contain contact
> information of people who haven't committed in the past few years.
> Some
> packages (even in main/ and community/) don't even have a maintainer
> comment.

Yes, right now maintainership often doesn't reflect who actually takes
care of a package, but I don't think the work of always keeping this
up-to-date is worth it (considering how often people come and go in the
OSS landscape).

> Even packages with accurate maintainer comments are often poorly
> maintained, by the person maintained in the maintainer comment, i.e.
> updates are done by different developers et cetera.
>=20
> In my ideal scenario package upgrades would always be done by the
> maintainer (would also reduce the patch queue as trivial package
> upgrades are no longer part of it).

That's terrible IMHO since this often creates a "this is MY package"
mentality, disallowing people other than the maintainer upgrading the
package and as such holding up progress. I mostly noticed that in the
time I used Gentoo, sometimes patches just sat around for months
without anyone looking at them because only the maintainer was allowed
to look at them (and was absent for a long time). One solution to this
could be agressively handing over the maintainance of packages who's
maintainer has been absent to a "Alpine general" (or something along
those lines) group which will then take care of updating it until
another maintainer has been found. But I fear that that'll create lots
of bureaucratic work for little gain, which can both demotivate
maintainers (it's annoying when you first have to ask for
maintainership of a package before being able to upgrade and might even
fence off new contributors which don't know our process well) and holds
off others from doing more useful things (like updating packages).

>  It should also be possible to
> contact the maintainer regarding issues with the aport

Hm, IMHO contacting the maintainer directly isn't a good tactic,
because:

* Maintainers often are absent (which is just in the nature of OSS)
* Private communications aren't searchable my others (like Gitlab
issues are)
* Often asking the upstream of the package is better than asking the
maintainer

>  and the
> maintainer should be responsible for reviewing patches submitted to
> GitLab/GitHub/Patchwork.

Again, maintainers in OSS projects often go absent without a warning,
maybe because they lost interest in the project or don't have enough
freetime to contribute anymore. This could lead to patches rotting for
a long time instead of letting a known group of coredevs review the
patch.

> Currently, the maintainer is just some person who added their contact
> information to the aport at some point in time. Debian, for instance,
> has a very elaborate process for this sort of thing which might help
> avoiding some of these pitfalls [0].

A very elaborate process, which create lots of work and scares new
contributors off (or at least it least it does so for me). Really, the
ease of contributing to Alpine is a great thing and it'd be a shame if
we lost that.

> > Maybe just having somewhat strict CI rules and only allowing a
> > merge
> > if CI passes would do the trick to ensure QA is done though.
>=20
> I disagree, I don't think CI rules can ever be good enough to catch
> any
> sort of mistakes that a manual review might find. Also consider
> malicious patches added to an aport, et cetera.

Yup, it sure isn't good enough, but just letting maintainers push
without any checks in place other than that they maintain the package
is even worse.

> Cheers,
> S=C3=B6ren

Regards,

Rasmus
> [0]:=20
> https://wiki.debian.org/DebianMaintainer#Becoming_a_Debian_Maintainer


--b1_3612bd888e5d6fc5c6308b4a2e47c7e5
Content-Type: application/pgp-signature; name="signature.asc"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=signature.asc

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUV1WEFWYTVoYXNT
Y08yaFp3WmJ6UURYYkkrSWdGQWwyM0QzY0FDZ2tRWmJ6UURYYkkKK0loV2JRLy9Sa0V3dTJtMUs5
c0Qybmo4djNSN2tiVmJNZXkwcWh0Ny9VVllOeDJVRkwyUFp5MVozNnhGWGxHVApYR3k0T1pHTG1F
ZnByeU9GV09vUEpmcXhVQ1JWenJHY3dteHNGT2plblFtaUF4QTZBV0QxaFl6V2JBZEhqd3hlCnlC
M1JCcjBMcVFEajQ0amRZV2szSDllbWJseDQxN3FkODE0V0pwOTBnZTNhOWkzUFh0WnBCK1RBV1dI
NjJRY1cKRmJDeHJTWFlIOE9qSGxrcGlja3QvVHgxWUlpWHZBYUI3TUplNGVPWmkxSUllbTV1QmRJ
b0NhNXpYRDhwbWxQTApYNEV0SzRVQTBCTVJzQmdzSUNHTnBnQmk2cmtBTURBNVhjeG9lUnZwcDQy
NWF6ditFa2ZRSlpEd2tmSTN2eXRPCmZONVhtU29EZ2FuaGtWdTVieWZ0TDlxVy91ZWhLMm5VY3Fy
eVo3RUhMT1doNDlxdFBZKzVkaHZZV2NCYzRzN3kKSEFSOU5IMURRWDlDV0o2MCtWNU5zdFpYeVVm
UDRrUmVOZFlNcXhiSjJsZ1JNNjNKMzFZSWlSMEVvTGlvUncxWQpvdjBHYUVzSnBLOXBnMmZZbkw3
SHlMcEZIMGRqNzM5Uk9lcXdzYnNwNWo1OGJuckxoVnlEMWxFTjdjWUZTcjNQCkNmZ0tRS0wyZGp2
eVFLakR3a29ORHhXVUxueXdNMnBwV09wbW5WUWdETW9RUlY2b2pwdytnSVhzRGU2dW9JanQKQmgw
SjZUcWdQUUNGbzZDYjhlZEZRMGN3MGpqWjV0VU5UWlNESjkwNkZ2VmRFWUZnL2lWOTBaMWtsUFlj
eHdQagpzYkdqTnhXNW5RYXRNYXhJbVVyVkQzTGZKNTdybkdyRVgyVmlVYVhQcTlSMVJLSHNmcDQ9
Cj1ycU1OCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo=


--b1_3612bd888e5d6fc5c6308b4a2e47c7e5--